A recent bill proposed in the Senate could require boards of directors at public companies to disclose their cybersecurity risk and competencies, a move solution providers said is a much needed step to increase board-level accountability for cybersecurity.
The Cybersecurity Disclosure Act of 2017, or S536, was proposed by Sen. Mark Warner (D-VA), Sen. Jack Reed (D-RI) and Sen. Susan Collins (R-ME), and would require companies to report the expertise of the board of directors to the U.S. Securities and Exchange Commission (as defined in consultation with NIST) and what steps the company is taking to improve cybersecurity. The company would report these items to the SEC as part of its annual filings under the bill.
The bill was introduced in the Senate earlier this month.
In a statement, Warner said the bill is designed to provide transparency to shareholders as to what risk public companies face when it comes to cybersecurity.
"It is in the best interest of consumers and shareholders for companies to fully disclose the plans they've set in place to defend against [data breaches]," Warner said in a statement. "This legislation provides needed transparency in an often-shrouded process that directly affects the privacy of millions, and will serve as a tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks."
Solution providers cheered the proposed bill, saying it is a much-needed first step to increase board-level accountability for cybersecurity spending and potential breaches. Matt Johnson, CEO of Baltimore, Md.-based Phalanx Secure Solutions, said in an email that "public disclosure is a good first step" to helping improve cybersecurity transparency at large companies.
"It is a needed piece of legislation. Too many people are putting trust in these larger companies without fully knowing what is going on behind the scenes. How many times have we purchased something online from a public company, put in all of our personal data and then have trust in their security measures only to find out later that they have been breached," Johnson said.
The legislation comes as cybersecurity is already becoming an issue that boards of directors and C-suite executives are caring about, given the implications a breach can have on a company's reputation, finances, or even the CEO's job. Ryan LaSalle, Accenture Security's managing director of growth and strategy, said he is "absolutely" seeing security becoming top of mind for company boards of directors and top executives. According to a recent study by Accenture of around 2,000 global companies, 70 percent said that security is a board-level concern.
"It is absolutely a board-level issue," LaSalle said. "We're seeing it in all of our customer base."